A telemedicine platform, a hospital information system, or standalone diagnostic software is no longer a regulatory grey area in Kenya. Two distinct regimes now converge on digital health products: the Digital Health Act, 2023, which governs the platforms and the data they handle, and the Pharmacy and Poisons Board’s emerging framework for Medical Device Software (MDSW), which governs software that functions as, or within, a medical device. A health-tech company operating in Kenya may need to satisfy both regimes simultaneously, and they are administered by different bodies with different logic.
The Digital Health Act, 2023
The Digital Health Act (No. 15 of 2023) established the Digital Health Agency, a body corporate responsible for Kenya’s Comprehensive Integrated Health Information System. The Act requires the Agency to develop standards for m-Health, telemedicine, and e-learning, establish a regulatory framework for the e-health ecosystem’s data lifecycle, and provide for the safe transfer of personal, identifiable health data to and from health facilities within and outside Kenya.
Two implementing regulations are already gazetted and in force:
- The Digital Health (Health Information Management Procedures) Regulations, 2025 (Legal Notice 76 of 2025), which require the Agency to certify digital health solutions, including e-health and telemedicine platforms, against a Certification Framework, and set a minimum health data retention period of twenty years.
- The Digital Health (Data Exchange Component) Regulations (Legal Notice 77 of 2025), which establish a telemedicine health provider registry and require certified digital health solutions to report a minimum data set to the Agency.
Certification is not a formality. An applicant must undertake self-attestation and prepare a self-attestation report before applying (Form HMIS 4), and the application must be accompanied by evidence of registration with the Office of the Data Protection Commissioner as both a data controller and data processor, plus a Data Protection Impact Assessment report prepared under the Data Protection Act. A certificate of compliance is valid for two years. A draft fee schedule circulated by the Ministry of Health (not yet confirmed as gazetted in final form) proposed an application fee of Kshs 20,000, with a Kshs 250,000 fee specifically for telemedicine certification and Kshs 50,000 for m-Health solutions, a materially higher cost tier than most other CMA or CBK licence categories.
Under the Act’s data governance provisions, a data controller who transfers biological specimens, health images, human tissue, or organs of a Kenyan citizen outside Kenya must ensure confidentiality of personal health information, and where the transfer relates to health research or a post-mortem, must report findings to the Director-General for Health and notify the Cabinet Secretary before sharing.
Medical Device Software: A Second, Separate Regime
Separately from the Digital Health Act, the Pharmacy and Poisons Board is developing a dedicated framework for Medical Device Software, covering both Software as a Medical Device (SaMD), standalone software with a medical purpose, and Software in a Medical Device (SiMD), software embedded within hardware. PPB’s Chief Executive has stated the framework will regulate SaMD separately from embedded software, reflecting the different risk profile of standalone diagnostic, monitoring, and treatment software.
The framework, as described by PPB, classifies software by risk and clinical impact, requires documentation on software design, risk assessment, clinical validation, version control, and post-market surveillance, and expects compliance with international standards including IEC 62304 (software lifecycle) and ISO 14971 (risk management). It draws explicitly on Kenya’s National Cybersecurity Strategy (2022-2027), the Digital Health Act itself, and the Kenya AI Strategy (2025-2030), reflecting the framework’s origin in a 2022 WHO Global Benchmarking Tool exercise that identified SaMD oversight as a regulatory gap, part of PPB’s pursuit of WHO Maturity Level 3 status.
Cybersecurity is a first-order requirement, not an afterthought. Medical software connected to networks or cloud systems must be secured throughout its lifecycle using secure-by-design and secure-by-default approaches, including authentication, role-based access controls, encryption, network segmentation, and continuous vulnerability monitoring. Manufacturers must maintain structured post-market plans for vulnerability disclosure, patching, and incident response.
Applications will be submitted through PPB’s online portal (PRIMS), with fees linked to risk classification, consistent with the fee structure PPB already applies to medical device registration generally.
Practical Implication: Two Regulators, One Product
A telemedicine platform that also runs diagnostic algorithms may need Digital Health Agency certification for the platform and data-handling layer, and separate PPB registration for the diagnostic software component if it independently qualifies as a medical device. These are not alternative pathways, they can both apply to the same product, administered by two different bodies with different documentation requirements, fee schedules, and validity periods. Companies building health-tech products for the Kenyan market should map which regulatory touchpoints apply at the design stage, not after launch, since retrofitting DPIA documentation or IEC 62304-compliant design records onto an already-built product is materially more expensive than building them in from the start.
The registry provisions also matter for anyone providing telemedicine services specifically. The Regulations establish a telemedicine health provider registry within the System, intended as the single source of reference for who is authorised to provide telemedicine in Kenya. A telemedicine health provider must be a healthcare worker qualified, registered, and licensed to practice in Kenya, meaning a platform cannot simply onboard any willing clinician, foreign or domestic, without confirming that clinician holds a valid Kenyan practising licence in addition to whatever qualifications they hold elsewhere.
Data Protection Overlay
Health data is sensitive personal data under the Data Protection Act, 2019, and both regimes reference DPA compliance explicitly rather than treating it as a separate concern. A digital health solution provider must be registered with the Office of the Data Protection Commissioner as both data controller and data processor before applying for Digital Health Agency certification, and must produce a Data Protection Impact Assessment as part of that application. This means DPA registration is a practical precondition to operating a certified telemedicine or e-health platform in Kenya, not a parallel compliance track that can be addressed later.
This article is for general information and does not constitute legal advice. The PPB Medical Device Software framework is, as of this writing, a developing regulatory guideline rather than a fully gazetted regulation, and its final requirements, fees, and timelines should be confirmed directly with PPB before a company relies on the description here for a specific product launch.
Enforcement and Offences
The Act creates specific offences tied to data integrity rather than relying only on general penalty provisions. A health data controller who submits false or misleading information to the facility registry commits an offence. Separately, a health data controller who fails to submit required reports to the Health Management Information Services Platform commits an offence under a different penalty tier. The Agency also has an administrative enforcement tool short of prosecution: it may suspend a health data controller’s access to the enterprise service bus for compliance failures, subject to the Fair Administrative Action Act, and must notify the controller of the suspension and the reasons within three days. Access can be restored once the compliance issues are resolved.
Related Reading
This is the second article in our Life Sciences and Healthcare series. See our companion guides to medical device and health product registration with the Pharmacy and Poisons Board, and pharmaceutical manufacturing licensing and EPZ incentives. Sources: Digital Health Act, 2023 (No. 15 of 2023); Digital Health (Health Information Management Procedures) Regulations, 2025 (Legal Notice 76 of 2025).
Building a telemedicine, e-health, or medical device software product for the Kenyan market? Clay & Associates Advocates advises on Digital Health Agency certification, PPB SaMD registration strategy, and Data Protection Act compliance for health-tech products. Contact us to discuss your product.






